MicrosoftHi all
We now have the ability to "tune" alerts in Defender - for example supressing / auto resolving alerts we consider false positives or "noise".
What we would like to do is to supress alerts that relate to a specific domain (eg email address removed for privacy reasons) but still receive alerts for staff accounts (mailto:email address removed for privacy reasons)
This does not appear possible. Despite setting a rule so that the trigger includes "Account domain - student.school.edu.au. It still suppresses all alerts. I believe this is due to the 2 domains being on the same tenant as the user account listed in the AAD IDP Defender alert timeline is the same regardless :
User name: email address removed for privacy reasons OR email address removed for privacy reasons
User account: school.edu
Is there a way to separate and supress alerts depending on whether the user is on the school.domain or student.schoiol.domain?
